Back in September 2017, Positive Technologies’ experts had expressed interest in the development of a technique that can attack the yet secretive Intel’s Management Engine (IME) technology from the USB port. Now, they have revealed additional information about their plans. According to experts, in December 2017 they intend to demonstrate that they indeed have identified the way to “run unsigned code in the Platform Controller Hub” on any given motherboard through the God-mode hack.
IMEs are built into the chipset, and their security has been questioned by security experts for a long while some have even touted it to be a black box of exploitable flaws and bugs. The Platform Controller Hub is the central point where IME is located; it has its operating system called MINIX, its CPU and lets sysadmins to control/configure/wipe machines across a network remotely. The platform is quite useful provided if you need to manage a large network of computers especially in situations where the endpoint’s OS breaks down and does not boot properly.
So, when Positive Technologies experts state that they can hijack the Management Engine, this means they can take over the control of a box completely regardless of which operating system or antivirus is installed. This is made possible through the powerful God-mode hack attack, which is relatively new and used discreetly to spy upon users or hijack corporate data.
Positive Technologies has further revealed that the latest IME versions are equipped with JTAG (Joint Test Action Group) debugging ports, which can be accessed through USB. These ports allow a user low-level access to the code running on a chip. This is quite a threat for Intel because using the technology anyone can remotely exploit the firmware responsible for running the Management Engine and identify security vulnerabilities.
Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci pic.twitter.com/cRPuO8J0oG
— Maxim Goryachy (@h0t_max) November 8, 2017
Moreover, attackers can compromise the USB port and interfere with the functions of IME easily. The problem started when the Platform Controller Hub called Skylake began offering USB access to the JTAG interfaces of the system, which is referred to as Direct Connect Interface or DCI.
Full access the Intel ME( >=Skylake) by JTAG debugging via USB DCI https://t.co/TMvOirXOVI @ptsecurity @h0t_max @_markel___
— Hardened-GNU/Linux (@hardenedlinux) November 8, 2017
It is worth noting that Platform Controller Hub manages the external communications and interfaces of the IMEs. However, researchers opine that to attack IME an attacker would need physical access to the USB port, which is a tough task.
Via: The Register